Are owners of botnetted computers culpable? [modified]
-
Chris Losinger wrote:
i'm talking about mandating minimum security standards before a computer can be allowed to connect to the internet, or at least making it an offense to connect such a computer.
not going to happen, and you are fooling yourself if you think it ever will. It would restrict the amount of sales, and right now with the economy doing so poorly, nothing that restrict sales will ever fly.
Chris Losinger wrote:
now go to any computer store and try to find a product that, when you plug it in, will intentionally draw 10,000 watts, catch fire and burn your house down. can't do it? why's that ? hint: it's not because the salesmen aren't pushing it.
One problem. Digital copywrite laws refuse to place monitary value to digital losses. There are reasons for this, too long to get into in this thread, but it is not going to happen. The loss of something digital, yours, mine, anyones, has no value. Its one of the grey areas of the digital age. On one hand you want to support the record company and other groups that want to have 100% complete control over every byte of their product, on the other hand, if you go so far as to place a value on a byte, then a computer crash ultimately allows the user to sue the OS designer. So we are trapped in no-man's land, a vast wasteland of digital non-value and threats, and misuse, and problems. If you are expecting the government to step in and change this, just don't hold your breath while you wait.
Chris Losinger wrote:
it's the fact that there is absolutely no repercussions to people who don't secure them.
so you are saying that because I expect my home to be secure when I use a key, and someone breaks in through a window, I am responsible for the guy killing my wife? The user thinks their password is a key, as long as they don't give anyone their key, their computer is like their home. They don't even know they don't know because the salesman assured them that the computer is just like their home. As long as they don't give out their password they are fine. Even if there are repercussions, it is meaningless. The user doesn't understand what a bot is. You can lock them in jail, give them mandatory computer training in order to let them understand what they were tried and convicted of, but then it is too late. No matter what punishment you do, they won't understand. If a dog pee
El Corazon wrote:
not going to happen, and you are fooling yourself if you think it ever will. It would restrict the amount of sales, and right now with the economy doing so poorly, nothing that restrict sales will ever fly.
well, i'm really not sure that the economy "right now" has anything to do with "ever".
El Corazon wrote:
Digital copywrite laws refuse to place monitary value to digital losses.
cite? but i wasn't talking about copyright issues - i'm talking about the harm in terms of harassment and loss of productivity and bandwidth due to being overwhelmed by spam. one simple example: if 80%-90% of email traffic today is spam, there must enormous overcapacity built into in the system just to keep non-spam emails moving. reducing spam by eliminating botnets would save ISPs at all levels huge amounts of time and money. make it a crime, and ISPs can start using law enforcement, or even just the threat of law enforcement, to crack down on users who abuse the system.
El Corazon wrote:
so you are saying that because I expect my home to be secure when I use a key, and someone breaks in through a window, I am responsible for the guy killing my wife?
no - unless you had a good reason to suspect that such a thing could happen and didn't bother with a security system, or at least a big dog. with an unsecured computer on the net, there's every reason to suspect that someone is going to try to break into it and start abusing it, immediately[^]. it's more like leaving a loaded gun in a crowded playground.
El Corazon wrote:
You can lock them in jail, give them mandatory computer training in order to let them understand what they were tried and convicted of, but then it is too late. No matter what punishment you do, they won't understand.
:omg: all punishment is "too late" to prevent the crime that's being punished ! punishment works because people will work to avoid it. and, people will know what the crime and the punishment is the same way they learn what the punishments are for all the other crimes on the books: CSI, Law And Order, publ
-
ISPs have been shut-down for malware infected customers? Or for letting through DDOS and other bot attacks? I just don't think end users are going to be where this is won. They won't know and most won't care. They just want their computers to work. Shutting their connection off and telling them they are infected and spending many hours on the phone telling them to click this button and install this anti-malware and these patches is a no go for the ISP and a no go for the user.
regards, Paul Watson Ireland & South Africa
Fernando A. Gomez F. wrote:
At least he achieved immortality for a few years.
No. ISP's haven't been shut down for malware. I was just making a point that if someone suspected a client (user) of the ISP of harbouring a botnet, then it would be a better idea to have the ISP address the problem (for a small number of clients) than have the ISP suffer being shut off from the trunk for most of their other business. Given the choice, I would rather help the few clients inflicted with this than endanger my other (99%) clients. If you don't help the end consumer, then they're going to keep helping the botnet. I don't know. I thought informing the end user that they have a problem to deal with seemed reasonable to me. I guess others don't. Wow.
-
No. ISP's haven't been shut down for malware. I was just making a point that if someone suspected a client (user) of the ISP of harbouring a botnet, then it would be a better idea to have the ISP address the problem (for a small number of clients) than have the ISP suffer being shut off from the trunk for most of their other business. Given the choice, I would rather help the few clients inflicted with this than endanger my other (99%) clients. If you don't help the end consumer, then they're going to keep helping the botnet. I don't know. I thought informing the end user that they have a problem to deal with seemed reasonable to me. I guess others don't. Wow.
BitTorrent and other high-end users are a much bigger "problem" for ISPs. They suck a lot more bandwidth than malware infected computers. I'm not saying I agree with ISP thinking, just saying that by and large that is how they think. Plus one way to control malware infected computers is to shape their traffic instead of helping to solve the root problem. ISPs do this already with "abusive" users. If they think you are doing something odd then they ratchet your pipe down to a straw. They don't phone you, they don't even email you, they just shape you. Traffic shaping software is making good money for IT companies.
regards, Paul Watson Ireland & South Africa
Fernando A. Gomez F. wrote:
At least he achieved immortality for a few years.
-
BitTorrent and other high-end users are a much bigger "problem" for ISPs. They suck a lot more bandwidth than malware infected computers. I'm not saying I agree with ISP thinking, just saying that by and large that is how they think. Plus one way to control malware infected computers is to shape their traffic instead of helping to solve the root problem. ISPs do this already with "abusive" users. If they think you are doing something odd then they ratchet your pipe down to a straw. They don't phone you, they don't even email you, they just shape you. Traffic shaping software is making good money for IT companies.
regards, Paul Watson Ireland & South Africa
Fernando A. Gomez F. wrote:
At least he achieved immortality for a few years.
That's very true, Paul. I can't stand that stuff myself. But the original question was specific about what to do with a botnet infected computer. Torrents proliferate all kinds of malware and illegal stuff 24x7. I hate it. But what if your computer had malware installed that was helping a botnet somewhere do whatever it is they do? Would you unplug the ethernet cable? Would you unplug the power cord? Would you scan the disk, memory clean and then plug it back into the "net"? You probably would take all those steps, being savvy and smart. But what about the not so smart users ..... you know what I mean...
-
That's very true, Paul. I can't stand that stuff myself. But the original question was specific about what to do with a botnet infected computer. Torrents proliferate all kinds of malware and illegal stuff 24x7. I hate it. But what if your computer had malware installed that was helping a botnet somewhere do whatever it is they do? Would you unplug the ethernet cable? Would you unplug the power cord? Would you scan the disk, memory clean and then plug it back into the "net"? You probably would take all those steps, being savvy and smart. But what about the not so smart users ..... you know what I mean...
Bert delaVega wrote:
But what about the not so smart users
If I knew I wouldn't still be here typing this. I'd be on the phone to a VC asking for $100 million as I had a sure-fire money maker. It is a really tough problem. Make computers too closed and idiot-proof and you reduce their utility. Make them open and "alive with possibility" and you by definition make them able to run malware. Phoning ISP support and having a low-paid, disinterested bloke walk you through removing malware is not going to help. The customer isn't helped to understand the real problem, just the symptons are cured and left for a few weeks while the root of the problem (ignorance and needlessly complicated systems) is left. On one hand you want to educate all computer users but on the other hand computers are meant to help us, to save time and make us more productive. Users shouldn't have to know the internals to use them. They might as well go back to pen and paper if they have to become programmers to use their computers. Cars are getting better at this. A yearly check-up by a professional and you are grand. A car should run ten years without major problems. Computers aren't there yet. There are some basic things we can educate all computer users on but for the most part we are just going to have to suck it up and deal with the problems you and I created. Iterate, improve, simplify and do better in v2.
regards, Paul Watson Ireland & South Africa
Fernando A. Gomez F. wrote:
At least he achieved immortality for a few years.
-
El Corazon wrote:
not going to happen, and you are fooling yourself if you think it ever will. It would restrict the amount of sales, and right now with the economy doing so poorly, nothing that restrict sales will ever fly.
well, i'm really not sure that the economy "right now" has anything to do with "ever".
El Corazon wrote:
Digital copywrite laws refuse to place monitary value to digital losses.
cite? but i wasn't talking about copyright issues - i'm talking about the harm in terms of harassment and loss of productivity and bandwidth due to being overwhelmed by spam. one simple example: if 80%-90% of email traffic today is spam, there must enormous overcapacity built into in the system just to keep non-spam emails moving. reducing spam by eliminating botnets would save ISPs at all levels huge amounts of time and money. make it a crime, and ISPs can start using law enforcement, or even just the threat of law enforcement, to crack down on users who abuse the system.
El Corazon wrote:
so you are saying that because I expect my home to be secure when I use a key, and someone breaks in through a window, I am responsible for the guy killing my wife?
no - unless you had a good reason to suspect that such a thing could happen and didn't bother with a security system, or at least a big dog. with an unsecured computer on the net, there's every reason to suspect that someone is going to try to break into it and start abusing it, immediately[^]. it's more like leaving a loaded gun in a crowded playground.
El Corazon wrote:
You can lock them in jail, give them mandatory computer training in order to let them understand what they were tried and convicted of, but then it is too late. No matter what punishment you do, they won't understand.
:omg: all punishment is "too late" to prevent the crime that's being punished ! punishment works because people will work to avoid it. and, people will know what the crime and the punishment is the same way they learn what the punishments are for all the other crimes on the books: CSI, Law And Order, publ
Chris Losinger wrote:
cite?
check every time the bills come before congress, the same arguments apply. If you put a monitary value to digital time, you open up a full can of worms that will "destroy the foundation of computers" and thus it will not be done. The ISPs charge, they will do nothing. The computers are already sold, the makers will do nothing. The programmers, like us, left the holes, but as you say, we are not held responsible for our own mistakes, we are ultimately innocent of our own negligence right? The user is unaware we set him up, anaware some other idiot has taken over his computer, so we should punish him for not correcting our negligence. sounds fair to me.
Chris Losinger wrote:
are we talking about severely retarded people here?
yes, we are talking about the average user who will drive across town spending a gallon of gas to save 2 cents a gallon. they respond to phishing, and spam.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
Chris Losinger wrote:
cite?
check every time the bills come before congress, the same arguments apply. If you put a monitary value to digital time, you open up a full can of worms that will "destroy the foundation of computers" and thus it will not be done. The ISPs charge, they will do nothing. The computers are already sold, the makers will do nothing. The programmers, like us, left the holes, but as you say, we are not held responsible for our own mistakes, we are ultimately innocent of our own negligence right? The user is unaware we set him up, anaware some other idiot has taken over his computer, so we should punish him for not correcting our negligence. sounds fair to me.
Chris Losinger wrote:
are we talking about severely retarded people here?
yes, we are talking about the average user who will drive across town spending a gallon of gas to save 2 cents a gallon. they respond to phishing, and spam.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
El Corazon wrote:
but as you say, we are not held responsible for our own mistakes
except for the fact that i never said that, good point
-
El Corazon wrote:
but as you say, we are not held responsible for our own mistakes
except for the fact that i never said that, good point
Chris Losinger wrote:
except for the fact that i never said that, good point
Not in so many words, but you do want the user responsible for our mistakes. :) Because the user doesn't have the intelligence to see our mistakes, fix our mistakes, and sign up for long term monetary plans to repair our mistakes. Ultimately, it always comes back to us as programmers. We refuse, because we have no fault. fine the user for not knowing we left a hole and having the sense to fix it. Where in all this do we fit in? take a way Granny's computer service because John C left a security hole in his application, because I left a buffer overflow in mine, because someone else thought they had a good encryption algorithm and didn't, it was cracked and the computer was laid open. But Granny is ultimately responsible for being negligent because we left her computer open to be stolen, and didn't know how to fix it? then mandate C# training to all computer users. Legislate that all computer owners must take a MS certification course before being allowed to use the internet. Enforce it police inspection, and annual checkups. :) But in the whole scheme of things, where is our part in it all? Where is our responsibility too? Granny's computer is a battle ground, between us, as programmers to secure our applications, and hackers wanting in. We are the first line of defense against the CQ's of the world, we'll vote him down, but we'd all rather fine Granny for him using her computer than do more than vote him down.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
-
Chris Losinger wrote:
except for the fact that i never said that, good point
Not in so many words, but you do want the user responsible for our mistakes. :) Because the user doesn't have the intelligence to see our mistakes, fix our mistakes, and sign up for long term monetary plans to repair our mistakes. Ultimately, it always comes back to us as programmers. We refuse, because we have no fault. fine the user for not knowing we left a hole and having the sense to fix it. Where in all this do we fit in? take a way Granny's computer service because John C left a security hole in his application, because I left a buffer overflow in mine, because someone else thought they had a good encryption algorithm and didn't, it was cracked and the computer was laid open. But Granny is ultimately responsible for being negligent because we left her computer open to be stolen, and didn't know how to fix it? then mandate C# training to all computer users. Legislate that all computer owners must take a MS certification course before being allowed to use the internet. Enforce it police inspection, and annual checkups. :) But in the whole scheme of things, where is our part in it all? Where is our responsibility too? Granny's computer is a battle ground, between us, as programmers to secure our applications, and hackers wanting in. We are the first line of defense against the CQ's of the world, we'll vote him down, but we'd all rather fine Granny for him using her computer than do more than vote him down.
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
El Corazon wrote:
but you do want the user responsible for our mistakes.
i want the users to be reasponsible for what their computers do. our security "mistakes" should cost us business and damage our reputations. and the market should avoid companies which make security mistakes - or, it would, if there was incentive for the user to choose secure programs. is there another market where the producers assume all liability and take it upon themselves to protect the customer from even knowing what the hazards are?
El Corazon wrote:
Ultimately, it always comes back to us as programmers.
except when you don't create any incentive for "it" to do so. you can't hold programmers responsible for writing secure programs if there's no incentive for their employers to make them program responsibly. if users don't seek out sercure software (because there's no reason for them to do so because you seem oppsed to even telling them what secure software is or what it does) then software companies will not write secure software. "security" won't be in the spec; it won't be tested for; it will be something conscientious and knowledgeable programmers do when they have the chance or inclination. programmers aren't going to do this out of the goodness of their hearts or some vauge sense of pride. this is simple economics.
El Corazon wrote:
But Granny is ultimately responsible for being negligent because we left her computer open to be stolen, and didn't know how to fix it?
yes. granny's old enough to understand responsibility - she raised children, right?
El Corazon wrote:
Legislate that all computer owners must take a MS certification course before being allowed to use the internet. Enforce it police inspection, and annual checkups
no. simply hold computer users responsible for what their computers do. what it does, it does in your name.
El Corazon wrote:
But in the whole scheme of things, where is our part in it all? Where is our responsibility too?
our responsibility is to our employers. we're not the knighted guardians of some sacred public trust, we're engineers, writing programs to meet the marketing needs of the people who pay our salaries. and if there's no market for secure software, we won't be asked to write
-
Simon Stevens wrote:
She is like the common user, they need adequate training before they can be trusted to remain safe.
There is one big difference. They are ALL told that they can go online safely, and everything will be fine. There is a license for drivers for a reason, it is not safe. There will never be a license for computing, but there is a racketeering service. If you don't pay your monthly fee someone will "get hurt" and you want to reinforce that service by saying we should punish the users? We gave them a car that cannot be locked without paying for the racketeering service because management wants the racketeering service income. Now we are demanding that the user be punished for not signing up for the racketeering service? Granny will be sold a computer and told it is completely safe. It may be the last message she will get before you toss her in jail for not getting adequate training? how is that somehow fair? If she gets any message it will be the racketeering message. Your computer is not safe, give us $75 a year for the rest of your life, or your computer will get hurt. How would you respond? pay the guy?
_________________________ Asu no koto o ieba, tenjo de nezumi ga warau. Talk about things of tomorrow and the mice in the ceiling laugh. (Japanese Proverb) John Andrew Holmes "It is well to remember that the entire universe, with one trifling exception, is composed of others."
I can see that paying for antivirus is really pissing you off, thought I'd just point out that free antivirus is available and works just fine, theres a lot of good anti-spy programs available for free as well as personal firewall software. So there goes your racketeering argument right out the window
-
I can see that paying for antivirus is really pissing you off, thought I'd just point out that free antivirus is available and works just fine, theres a lot of good anti-spy programs available for free as well as personal firewall software. So there goes your racketeering argument right out the window
Gunni wrote:
I can see that paying for antivirus is really pissing you off, thought I'd just point out that free antivirus is available and works just fine, theres a lot of good anti-spy programs available for free as well as personal firewall software. So there goes your racketeering argument right out the window
The average computer you go down to the store to buy comes with "free" 30 day licenses of commercial applications. The average user will never see a real free one unless you or I show up on their doorstep and tell about it. Some people here are still discovering it, and we're supposed to be more advanced than users (though a glance at any forum might make you feel otherwise -- still a glance at any forum will show you that users are dumber than those folks, yes, they are, on the average). The system is designed never to tell the user about the free versions. They will reach the end of their 30 day licenses, alarms will flare, popups will tell them that they have to pay money. If we pass a law demanding they must protect their machine, add another alarm telling them they will be arrested if they don't do something fast. Do you think they will consider that NOT a racket? The free ones are aimed at those who have the smarts to sniff them out, search them out. A user, for all their vaunted wisdom you seem to think they have, on the average doesn't search for something they don't know exists. That is an intuitive leap in logic. How do you learn something you do not know that you do not know? First you must either assume you don't know something, or just go browsing for something you don't know on a whim. Most users, most programmers don't even do that. Everytime we discuss free AV, free backups, free spybot programs, free dev utilities, free anything, there are a slew of programmers, smarter than any user, who are pounding their hands on their head and saying, "wow, I didn't know that." Your user will not know that, which is why I install them for the user when ever I help someone. The system is still designed for a racket, and folks here seem to want to want to jump straight into enforcement without changing the underlying system. If you tell every user that free versions exist, Norton & Mcafee would slap that company with a non-competitive clause and a gag order. The average user will live and die in the computer age and never know a free version exists. Solve that and you can do what ever you want. But if you try too hard to advertise
-
Gunni wrote:
I can see that paying for antivirus is really pissing you off, thought I'd just point out that free antivirus is available and works just fine, theres a lot of good anti-spy programs available for free as well as personal firewall software. So there goes your racketeering argument right out the window
The average computer you go down to the store to buy comes with "free" 30 day licenses of commercial applications. The average user will never see a real free one unless you or I show up on their doorstep and tell about it. Some people here are still discovering it, and we're supposed to be more advanced than users (though a glance at any forum might make you feel otherwise -- still a glance at any forum will show you that users are dumber than those folks, yes, they are, on the average). The system is designed never to tell the user about the free versions. They will reach the end of their 30 day licenses, alarms will flare, popups will tell them that they have to pay money. If we pass a law demanding they must protect their machine, add another alarm telling them they will be arrested if they don't do something fast. Do you think they will consider that NOT a racket? The free ones are aimed at those who have the smarts to sniff them out, search them out. A user, for all their vaunted wisdom you seem to think they have, on the average doesn't search for something they don't know exists. That is an intuitive leap in logic. How do you learn something you do not know that you do not know? First you must either assume you don't know something, or just go browsing for something you don't know on a whim. Most users, most programmers don't even do that. Everytime we discuss free AV, free backups, free spybot programs, free dev utilities, free anything, there are a slew of programmers, smarter than any user, who are pounding their hands on their head and saying, "wow, I didn't know that." Your user will not know that, which is why I install them for the user when ever I help someone. The system is still designed for a racket, and folks here seem to want to want to jump straight into enforcement without changing the underlying system. If you tell every user that free versions exist, Norton & Mcafee would slap that company with a non-competitive clause and a gag order. The average user will live and die in the computer age and never know a free version exists. Solve that and you can do what ever you want. But if you try too hard to advertise
El Corazon wrote:
The average computer you go down to the store to buy comes with "free" 30 day licenses of commercial applications.
It's a very common practice outside the computer industry, for instance "Free 30 day subscription No strings attatched" except after those 30 days they start billing you without even letting you know and then make cancellation a pain.
El Corazon wrote:
The system is designed never to tell the user about the free versions.
Well of course... "Here is our product but if you go here[^] you can get a similar product for free" isn't going to be getting any marketing exec a raise. Free market and capitalism baby.
El Corazon wrote:
The free ones are aimed at those who have the smarts to sniff them out, search them out. A user, for all their vaunted wisdom you seem to think they have, on the average doesn't search for something they don't know exists.
So you really don't think the average user is capable of thinking "Hmm, I don't want to pay for antivirus... maybe I'll google Free Antivirus and click the first non sponsored link that's returned" Doesn't seem so illogical or improbable does it? Point is that a lot of people prefer to pay, yeah sounds nuts don't it, it's something to do with percieved value (one of the reasons why some people think the whole world isn't using linux already). The thinking goes something like this "Of what worth if something that is free?" People who actually want to pay can't be victims of racketeering.
El Corazon wrote:
The system is still designed for a racket
Uhm, no it's designed for a profit. Granted there is quite a bit of exploitation of ignorance but that's true of most business, for instance I'm ignorant of how to fix my car, that's I pay someone else to do it for me. I'm also lazy which is why I don't learn how to do it myself.
El Corazon wrote:
But if you try too hard to advertise the free alternatives, I'll lay you odds you will be forcibly quieted before too long.
Linux is still around. So are all it's tireless promoters. No anticompetitive suits against them. What th